RESOLVED FIXED 117280
JSC: Crash beneath cti_op_div @ http://gmailblog.blogspot.com 
https://bugs.webkit.org/show_bug.cgi?id=117280
Summary JSC: Crash beneath cti_op_div @ http://gmailblog.blogspot.com
Michael Saboff
Reported 2013-06-05 21:41:05 PDT
We are crashing because an argument variable is been speculated to be an Int32, but there isn't a corresponding speculation check on entry to the function. When it is call with a non-int value and we OSR exit for some other reason we crash in the baseline JIT because the tag is bogus.
Attachments
Patch (5.84 KB, patch)
2013-06-05 22:01 PDT, Michael Saboff 		fpizlo: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Michael Saboff
Comment 1 2013-06-05 21:41:22 PDT
<rdar://problem/13548820>
Michael Saboff
Comment 2 2013-06-05 22:01:33 PDT
Created attachment 203903 [details] Patch This fixes the problem by merging the various attributes of a VariableAccessData with the root node of the unified set of VariableAccessData nodes. Before we were merging with a leaf node and therefore the merge didn't propgate to the code generation phase. This is performance neutral on SunSpider and V8.
Michael Saboff
Comment 3 2013-06-06 08:37:24 PDT
Committed r151273: <http://trac.webkit.org/changeset/151273>
Alexey Proskuryakov
Comment 4 2013-06-06 15:51:31 PDT
*** Bug 116052 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.